workflows-mcp

The server's core functionality involves executing arbitrary shell commands (`Shell` block type) and interacting with external APIs/filesystems as defined in YAML workflows. While this is its intended purpose for automation, it inherently carries security risks if malicious workflows are executed. The project implements several important mitigations: automatic secret redaction from outputs, audit logging for secret access, and robust variable resolution rules (`ForbiddenNamespaceRule`, `SecretRedactionRule`) to prevent unauthorized access to system resources or secrets from Jinja2 templates. However, one of the first-party templates (`github-create-issue.yaml`) utilizes `eval` within a `Shell` block for dynamic command construction. Although variables are constructed carefully, the use of `eval` in a shell context is generally a high-risk operation and can be a vector for shell injection if inputs are not perfectly sanitized. The `ShellExecutor` itself uses `shlex.split` for command execution (safer than `shell=True`), but the ultimate impact depends on the content of the `command` string after all template rendering.